From 29ad9305e8dfaaaa99933eaad34dc29ced78d3d0 Mon Sep 17 00:00:00 2001
From: Guangning E <guangning@streamnative.io>
Date: Fri, 28 Feb 2025 22:41:47 +0800
Subject: [PATCH] fix: reduce s3table access permission (#120)

---
 modules/aws/s3-table-access/main.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/aws/s3-table-access/main.tf b/modules/aws/s3-table-access/main.tf
index ad8279d..38598bb 100644
--- a/modules/aws/s3-table-access/main.tf
+++ b/modules/aws/s3-table-access/main.tf
@@ -1,6 +1,7 @@
 data "aws_caller_identity" "current" {}
 locals {
-  s3_tables_resource = distinct([for item in var.s3_tables : endswith(item, "/*") ? "${item}" : "${item}/*"])
+  s3_tables_resource = distinct(var.s3_tables)
+  s3_tables_path_resource = distinct([for item in local.s3_tables_resource : "${item}/*"])
   tag_set            = merge({ Vendor = "StreamNative", Module = "StreamNative S3 Table Access", SNVersion = var.sn_policy_version }, var.tags)
 }
 
@@ -44,7 +45,7 @@ resource "aws_iam_role_policy" "s3_access_policy" {
           "s3tables:GetTableData",
           "s3tables:PutTableData"
         ],
-        "Resource" : local.s3_tables_resource
+        "Resource" : concat(local.s3_tables_resource, local.s3_tables_path_resource)
       }
     ]
   })